Problems with Port Forwarding GL-MT6000

ArchaeoTux · November 26, 2024, 2:41pm

Hello everybody. I am new to OpenWRT and would really appreciate your help! I recently changed from a Fritzbox with factory firmware to a GL-MT6000 with OpenWRT. I run a little homelab via DDNS and Port Forwarding. I configured OpenWRT to mimic the old FritzBox. Same IP range, imported all the static leases, but DDNS up and configured to port forwarding, but for some reason every call on my URLs is timing out.

My OpenWRT FIrmware version is 5.15.167. I use an Zyxel VMG4005-B50A to reach my VDSL provided by the German Telekom. Domain and DDNS provider is Strato.

That's my /etc/config/firewall. 192.168.178.45 is my reverse proxy, which always worked totally fine with my Fritzbox.

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTP'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.178.45'
option dest_port '80'
list proto 'tcp'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.178.45'
option dest_port '443'
list proto 'tcp'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'WG'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.178.48'
option dest_port '51820'
list proto 'udp'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'PostGIS'
option src 'wan'
option src_dport '5432'
option dest_port '5432'
option dest_ip '192.168.178.49'
list proto 'tcp'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'HAO'
option src 'wan'
option src_dport '8123'
option dest_ip '192.168.178.64'
option dest_port '8123'
list proto 'tcp'

config forwarding
option src 'wan'
option dest 'lan'

I tried to work on the problem with some AI support. The AI told me to look also at the results of

iptables -t nat -L -v -n
iptables -t nat -L -v -n

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

and

lsmod | grep nat

ip_tables              24576  3 iptable_nat,iptable_mangle,iptable_filter
iptable_nat            12288  0 
nf_conntrack           86016 13 xt_state,xt_nat,xt_conntrack,xt_REDIRECT,xt_MASQUERADE,xt_CT,nft_redir,nft_nat,nft_masq,nft_flow_offload,nft_ct,nf_nat,nf_flow_table
nf_nat                 36864  8 iptable_nat,xt_nat,xt_REDIRECT,xt_MASQUERADE,nft_redir,nft_nat,nft_masq,nft_chain_nat
nf_tables             163840379 nft_fib_inet,nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject,nft_redir,nft_quota,nft_objref,nft_numgen,nft_nat,nft_masq,nft_log,nft_limit,nft_hash,nft_flow_offload,nft_fib_ipv6,nft_fib_ipv4,nft_fib,nft_ct,nft_counter,nft_compat,nft_chain_nat
nft_chain_nat          12288  2 
nft_nat                12288 15 
x_tables               28672 21 iptable_nat,xt_state,xt_nat,xt_conntrack,xt_REDIRECT,xt_MASQUERADE,xt_CT,nft_compat,iptable_mangle,iptable_filter,ipt_REJECT,ip_tables,xt_time,xt_tcpudp,xt_multiport,xt_mar

mk24 · November 26, 2024, 2:47pm

I don't think it is breaking anything, but remove this. The redirects imply that packets will be forwarded. A regular config forwarding does not work backward through NAT.

Other than that it looks OK. Check that the IP held by the wan interface is public, and matches the one in DDNS. Check that the servers are actually at the proper LAN IPs. Run some packet captures to see if requests from the Internet are making it in through the ISP and then capture on lan to confirm that they have been forwarded.

brada4 · November 26, 2024, 3:29pm

Remove all stains of iptables and kmod-ipt , they are absolutely useless on modern OpenWRT. If you have some antique rule you may need only ???tables-nft and included iptables-translate tool.

mk24 · November 26, 2024, 3:31pm

Yes this should be configured with a standard release build and the default firewall. Don't add any iptable related packages.

brada4 · November 26, 2024, 3:32pm

With very bad luck something like docker may add rules which conflict with nftables in kernel in a way like ones forwarding becomes others output and drops.

mk24 · November 26, 2024, 3:34pm

It's always fun when someone comes in with what appears to be a basic installation but eventually they reveal there's also three VPN interfaces, adguard, etc. that they didn't consider worth mentioning in the first post.

ArchaeoTux · November 26, 2024, 7:35pm

That probably came from some testing, I did yesterday. I started over with a clean installation, configured DHCP, DDNS and port forewarding over LuCI. Problem persists unforuntaly.

brada4 · November 26, 2024, 7:51pm

Please add

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall
nft list ruleset | grep xt

Remove 2nd half of MAC/IP addresses, any keys, passwords, other identifiable info.

ArchaeoTux · November 26, 2024, 7:58pm

Thanks a lot everybody! It was a problem with the DDNS. I fixed that and added exceptions for the rebind protection and now everything is working fine!